GB2324895A - Controlling the access to objects in a Management Information Base in an OSI managed network - Google Patents

Abstract

In a network management system based on the Open System Interconnection (OSI), access by a management operation to "target" Managed Object Instances (MOIs), managed by a naming tree construction and stored in a Management Information Base (MIB) (fig. 3), is controlled with access denial and permission being quickly decided. In a pre-process stage S0, the BER-encoded identification name of each MOI in the naming tree is converted to an index (fig. 11 and S1, fig. 10). Next, for each "scope" designated by the management operation, the corresponding range of MOIs in the tree is determined (fig. 12 and S2, fig. 10) and this correspondence is tabulated (S3, fig. 10). At every issue of the management operation, S1, access denial and permission, S2, are decided by using this pre-process data (fig. 14). When naming tree configuration changes occur, S3, the data can be revised, S4 (figs. 15 and 17), so that the access control is adaptive to the dynamic change of the naming tree.

Description

2324895

Specification

TI'fll OF T17, 11=ON Mathcd for Acce.= Control on MIB in OSI Management FIELD OF THE

This invention mlates to a mthod for ac control on M (Managewant information Base):In 0S1 (OW SysteM Inte=nnection) Mana.t. ltre especially, this.invention relates to an access control methed Jin which a management object irztance is used as an access unit. Furthermorm. this invention relates to a wthod for converting an identification name, of M01 (Management Object Instance), a w-thod for enumeration of seme scope of M01, a xethod for enumeration of a ta-"gp-t of M01 and a methed for detecting an intexsection of MM.

BACKGROM OF 711E INVEITTIM Words cn a tree, a net.,,rrk manat b on an OSI WI and a name tree, scope and target, and an abstract of ITU-T roacomendation on access =trol aethod are de=ribed. (Words on a tree) WorxL- such as "Parent" on a tme arie. described.

A set having one or wore top point is nalled as a tree if following conditions (1) and (2) am satisfied.

CD A set T has a specific top point called as a root. 2 A set T of tops except..Por the root is divided to a vacant set or one or more trees TI. . - T, 5ihich ha" no ce=on set each other. These sets are called as a directly partial tree.

A "t of a tree having no directly partial tree is called as a leat. A top pc int which is not a roct and not a leaf is callad as a MU2t inrp-r point. F1S. 19 shows a.1trea T wJaich has nine top points indicated by circles 08.

In Fig.19, the top point 0 is a root. There, ars two dimtly partilal trem Ti.,Tz in the tree T. One directly partial tree Ti coMr:lse.s OM top PO:Lit 1, another dlre,-t-'ly partial tree T21 cemprises tp,c points 2..3, ,4,5,6,,7 and 8. Because the tree T1 has no directly part iial tree, the rect 1 of the tree T i is a leaf of the tree T.

A top point which is included in the directly, tre partial e of -Une tree T of which rmt is a tolp point v is called as a descendant of the top point v and the root of the directly partial tree is called as a chilld of the top point- v. The pc int V is a parent of the child. In Fig. 19, Demendants of the poL-it 2 are the points ' 2.1j, -8., child of the poirt 2 are the points 35. A parent of the. points 3-5 is t point 2.

A length a rout from the root to each point is called as a level of the point and a ffax= length a=g tnse rauts is called as a depth of the tree T. In Fig. 1 g., Length of the rout from the r=t to the leaf 6 or 7 or 8 is mdnn, the depth is 3.

In the table 1, a type of each point, parent, child, des=dant and level of the tree T are shown in Fig. 19.

(table. 1) top point type parent child descendant level 0 root nonc (12) (1 -8} 0 leaf 0 2 Inner 0 {3 -5. 8) 1 point 3 inner 2 f6---8 (6 -8 2 point 4 leaf 0 2 leaf 0 2 6 leaf 0 3 7 leaf 3 0 3 (Network management based or. OST mwent) In a rrk system based on the Open System InterCC)MCt.46on (OSI) an abstractly described- management objwt is defined as some Mn (Mar abject) and an information of the MO is 3 - e=.-d bet-,^"n a manager system and an agent system by us=g CHIS (C-,rnon Nanagemnt Infor.;ation Service). See. [M-T. Rec. X-7111 Comon Management Information Pretocol for =-T Applications, Mar.

19911 and [Hisac Ohkane, TCP/IP and OSI network m&nage=t-SNKP and CMP Research Centar, 19921. Hareinaftar, the manage=t system is called as a manager and the. agent system is called as an agent.

Fig. 1, zhowB a network management based on OSI mana.ent. Ir Fig. 1, 'rhe network mcnat is by a network narat aystem and a ed apparatus. The network management ci--es a 2 management console 11 and a er 1G. The managed apparatus comprises an agent 13 and an MIB (Management Information Base) 14. Ir the MIB, a group of MD such as total numbe-- of packets to be transferred, tetal n oft elved packets and total number of received packets including error are stored. The network managt is a,-hi&,red,!Dy exchanging a management information on M0 thrvugh a network 15 between the aaWer 12 and the agent 1.3, on the basis of lusuig tlb--CM1P (Co=n Management informw".icri Protocol).

For eMple, wher. the manager 12 issued a management operation 16 ti, mans "get" of a nunber of already received packets, the agent 13 wxds a response 17 such as "88 packats" from ccntp-nt of tiva. MM 14.

(Managed object ine.&jce and name tree) Regarding to MO, a kind of Mo having sam character is called as Y.OC (tMar Object Class). Each instance belong to a certain MCC is called as an W! (M Object Instance). For example of MOC, a printer MX 18 is shown in Fig.2(A) and & printer M01 19 l_n the printer MX 18 is. in Fig.2(B).

Regardimg to a na2Lig tree, in Fig.3, the legical naming tree comprises a plural number of MDI 20 shown by white circles. A group of MOI JS mnaged by a tree constnrtion and stored in the MB. For example of the naming tree, the naming tree 22 of a telecommunication carrier 21 indicated by [M].

(Scope, an.d Filter) In M,there. are sow scape (scope pamwter) aM some filter (f iltp-r reter) by whirh cne mna,, "ratien enables to operate a plural number of M3I for reducing a number of rp-lecommicaticn har. the mnager and the agerr- Genarally,, scopa and f Ilter are set by an operaltor and an application pro".

Scope is a Paramter for designating a rsnge of M= to be m in the, naming tree. When using scope, BOI (Base Object Ince) is designated, wherein BOI is a start point in the- designation of the rarSe. Table. 2 slxx4s four kinds of scope defined by CM1S, namly BaSCObject scope, BaseToNthLeve-l scope (N is not a minus integer), NthLevelOnly scope (H is not a minus integer) and WholeSubtree.

Fig. 4 shows some scope. In Fig. 4, BOI is MOI 23 indicated by a black circle.

(table 2) scope definition RasmCbjer-t A range ir. only B01.

BaSSTOINthLevel A ranre is a group of all MCI from DOI to Nth level MD1. BOI it-self is imluded.

NthLevelOnly A range is a gro-up of M01 just below ft level from BOL Whole.-Subtre-e. A range is a group all MOI below BOL itself is iwluded.

Namely2 As sham in FigA(A)2 ar, objet of the minagement operation of BaseToNthLevel scope is mly BOI 23. 2. As shown:Li Fig.4(3), objects of the, management operation of BascObject scope are BOI 23 and a grctip of all W! from BD1 23 to Nth leve-l (ir- FigA(B), N=2) WL 3. As c2Inwm in FigA(C), objects of the management Opamtion of iTtave!C)nly scope xneonly a group of M01 just below Nth level Cir. Fig. 4 (C) t N--3) MOI from 301 23. 4. As in Fig.4M, objects cf the management opemtior. of WholeSubtree srcope- am B01 23 and a group of all HOT below -frm 901 22. Filter is a parameter for designa:tA-ng further an object of a manant operation from the W11. group 2-n thes range designated by scope. Filter is a logical equation indicating a size of M01.

coincidence of M01 and existence of MOI itself. For exxwle of a filter using an attribute of Printer WI 19 shown in FIG.2, thexe is a filter that (connection interface = RS232C) &id (a number of printed shwts Were last one hour > 50), wharein 'land" is a logical product. (Abstract of ac. -&-.s control based on IIIX-T recomamidation X.711) For an intemonnection awng telecomwmication carriers, the networllc manat based on CS! management is o and security fl=tion such as an acrm control is verj important. In ITU-T f recommendation X.71 19 "Initiatcrs" M0C. "targets" MOC and "rule" MX are described and a plan for decIdIng denIal and permIssIon of the access. See Rec. X.7117 System t: Object and attributes for accew control, De c. 19951.

Ramely, 1. The "initiators" b4X is an WC which indicates an initiator (an origin of issue of a managecent oper-ation).

2. The "targets" MX is an MOC which indicates an MIB to be protected or to be opened against a certain authority. An objezt to be protected and an object to be opened are called as a target. The t is des4Pated by scope and filter.

3. 'flz "rule" MX is an CC which. indicates five rules for deciding denial and permission of the access f.-,m the "initiators" MOC and targets,, MOC.

4. As, shown Ln Fig.5, as Cynee rules of "rule" MOC, them are a global denial rule which denies an access of the management operation to all object, an item denial rule which denies an access of the management operation to some object, a global permission rule which permits an awess Of the manat operation to all object, an item permission rule which permits an access o' f the managecment olperation to sow object and an default niLe which is applied when it is impossible to decide 1 denial and perm-ission by before-mentioned four rullies.

5. Decisicn of denial'and permission is done according to a process &hewn Fig. 5. In the step SI, it is jAged whether a global denial rule to be applicable exists or not. it the rule exists, all of access are denied. If tly- rule does not exist, in the next step S2s, it is judged whett= an item denial rule to be applicable exista or not. If the rule exists, an access accorting to an access unit is denied. The access unit W1 11 be described ELf ter. If the rule does not exist, in the n= step S3, it is judged whether a global pern, ission rule to be applicable exists or not. It the rule exists, all of access are permitted. If thsrule does nor, exist, in the next step S4, it is judged whethex an iteir. parmission -, Ue to be applicable exists or not. it the rule. exists, an access according to an access unit is permitted. If the rule does not exist, in the -w-xt step S5, an axess permission or an access denial is decided try tle default rule. 7he default rule, generally, is set so as to deny the access.

As access unit, there. are a management operation kla rough access unit), an M01 being an object in a mnagezent operation (a moderate access unit) and an attribution of an MJ! being an object in a managemen.t opex-ation (a fine acoess unit). In the case of any acce-ss unit an -a-'gorism is rúcessary to decide denial and permission, w.amin the algorism decides an i-nterse,-tion between ar. object of management operation and the prvtect cb4 ides an object of managem-ant ect, or dec operation included within the open.object.

Hewever, such algorism is not Drescribed by an M-T rec=endation X.711 at a.11.

Prior art will be de=ibed. (access control by using a manat operation as the access unit)

There is knc);,m access control by using a managemat opemtion as the access unit reported by (Ohno, Yoda, Fujii; Access Control Method in Telecom=ication Network, CS94(39):19-24, Jun, 1994].

This prior art will be described referring to Fig.6 and table 3. The naming tree T shown in Fig.6 is comprises MOI indicated by A-N. Corresponding to the naming tree T, as shown in table 3, "initiattors" MOC, "targets" MW and "rule" MCC are defined. M01 A) M015 I MOIC - 9 o MOI,, are used, in the case of designating each MOI.

(table 3)

40C MOI initiators initiators y targets Wlc P ICI F 1401 G P MCI i: tal-79et-Z I t-luTets W1 yta F I Mr': targets 2 rule X ran not wcess tc targets 1.

(item denial rule: -.ule 1) rule Y can access to taxXets 2.

(item permission rule: rule 2) rule All mwiagement opereation are denied.

(dafaualt rule: rule 3) table 3, the l-nitiators X and the initiators Y are defined as MOI belonged to the "initiatcrs" MCC. The 1nitiators X is M01 irA.,cating the origin X of issue of the manat operation and the initiators Y is WIL indicating the origin Y of issue of the mnagement operation. Further, the targets 1 and the targets 2 aree defined as MOI belonged to 'Ita.rp+ts" WC. Mps targets 1 is LMOI of which protect object and open object am MOI c. SDI:.. M01c; and MCI,. The targets 2 is MOI of which protezt object and open objeclt. are M01t. M01, and WIc;. The - 1 0 rule 1, the rule 2 and the rule 3 azw- defined as K! belonged to "rule" MCC. The rule 1 is an item denial rule which denies any management operation frcm the origin X of isste, the rule 2 is an item permission nile which parmts all management operatiors frx= ths origin Y of issue and the rule 3 is a default r-.Lle which denies any managment operation frcm all origin of issue.

(Decision of access denial in Fig.6 and table 3: p=ess of item denial rule) For Is., if a mark-t operation having "WholeSubtree scopp-O of which BO: is W1 j frcm initiator X. the item denial rule 1 is applied aeccrding table 3. At this time, as shown in Fig.7, becaure MC1i in the mnagewnt operation 24 is inclided within protwt object 259 the managament operation is denied.

Therefor, in the case of using the mana operation as an access imit. if there is an intersection between a part of the object of the marnt operation and the protect object, the mingement opwation is denied.

(Decision of access pemission in Fig.6 and table 3: Process of item Permission rule) For le, if a management. eperaticn having 112ndLevelonly scope" of which BOI is M.0I. from initiator Y i the item permission rule 2 is aPPlied a coo rding table 3. At this tim, as in Fig. 8, becaum,MCI!: in the managemlit operation 26 is not included within open object 27 the manat operaticn is nct permitted.

llmmfcr, in the case of lising t:be manat operation as an access aiit, if all the object included within open object, the managt operation is not allo,.

- 1 1 - As mentioned-above, in the prior art access Control using the management operation as an access unit, -if there is an intersection between object of the management operation ard tt-& protect object, 1401 to which access is nct permitted occurs ever if the access should not been denied.

Further, in the prior art access oontrol, using the managwent operation as an acCess unit, if them is an intersection between object of tte management operation and the protect object, Cl to which access Is denied occurrs even 1f the access ls permItted.

These probleMS do not occur in an access control usIng the MO: as an access unit.

Therefore, it is desirable to provide a new access corrtrol using the MOI as an accws unit.

It is fur-t.her desirable to provide a method for exchanging the identification naw, a method for scope enumeraticn, a ec -:

method or target er-mer-ation and a metho,_d_, for det 1-ing an intersection. SUMMARY OF THE INVENTION

In preferred embodiments of the present-invention, a pre-process is pr@vided for reducing a time require to the denial and peimission of access rather than the prior art- In this pre-process, a corresponding table, which indicates a relation between sccpe and a set of MOI included to the scope. Men, at every issue of the management operation, an intersectUor between the management operation amd the protect object is decided by referring to the table. Furftnr, at every issue of the management operation, a Magement operation included to the oper. object is obtained by mferring to the table, then access denial and access permission axte rapidly decided.

Namely, in preferred embodiments of the present invention, an identification name of MOT on - 1 2 the naming tree is exchanged to an index. present invention is a method for converting a name of MOI (M Cbject Instance) in a name tree to an index, wherein 'In" denotes a number of M01 in the name tree, 11 [xl 11 denotes an integer rowided. up from a value x and OXOR0 dm an exclusive OR, said method comprising:

a step for dividing a bit sequence to m blocks Bi (1 si:gm), wherein a iTimber of each block is N which is given as a tlogan], a for calCUlating an eXclusive OR of a j-th bit bi, (1 Sj 5 N) of each blcck B, as C; = b,, XOR b2 j XOR b j 3 a. XOR b.,;, a for making an N bits sequence Cl C2C3... C,, as an index of an identification name by pi=ing said calculated value C, from Cl to One aspect of the CM P wherein a value 0" is applied to an m-th block B. if an insufficiency of a bit occurs in the m-th block B, Another aspect of the present invention is a metbod for enumeration of scme sc wherein, mgaxding to each scope all -of Jdch can be designated in a manageirent. oWation, an arTangement "scope[]" of which size is n and which represents an MCI included in the scope is obtained as, scope[i]=1 if an K)I, is included in the scopeas scope(i]=0 if an M01, is not included in the scope.

Another aspect of the present invention is a methpd for enumeration of some sc,wherein, when new M01m, is aaded to a name tree, the Wlm, is added to a BamTojthLevel snope (i ggj) of which B01 (Base Object Instwca) is an MOI I (I!-C i 4p) I a Nho.1eSubtr.e scope and an ithLevelOnly smps I wherein MDI on a route froo aL M01m, upper tkw W1m, to a roolt M01m, in the MOIm, to be. added is put in order from MOIml as NMI 9 MOI621 M01m v Another aspect of the present invention is a metlm for enumeration of some scope wherein, when an MOImd is deleted from a name tree, the - 1 3 deleted from a BaseThithLevel scope (i:S j) of which 301 (Base Cbject Distarr-e) is an W1, ( 19 i. p), a Whole.Subtrep- scope- and ar ithLevelCnly scope, wherein 1101 or, a route from a M0Im, upper than MOTIrld 1-0 11 r00t MOIM, in tk)e MD1mt to be delicted is put in c rmw M01M, 1 az M01M 1 -, M01M z p. W=-P 4 Another aspect of the present.inveption is a method for enumeration 5terein, regarding to each targets MOI which is a protect t"t to be PrOteCted f.'xw an auttority or an open target to be opened to an " of which size is n and which authority, an arrangwent 'Itargets[i represents t2P target MOI is obtained as, twets[il=l if an M01, is proteonted or opered, twets[i]=0 if an MCI, is not protectad and not opened.

Another aspect of the pregent invention is a method for making a table wherein, ing to each scope all of which can be designated in a management operation, a table corresponding to an MY-L. included in the scope is made.

-A preferred ad)odiment of the. present invention is-a method for detecting an intersection ect and a prctect who-rein., an intersection between a mnagement ob. object is obt by calculating in each bit a logical product (logical and) between the "scope[ obtained by any of above-mentioned mathods and a dem-'al of the "tarr-ts[]" obtained by abomtioned mC..od.

Another embodiment is a method for detecting an intersection wherl-ain, Ln inteimeation between a fmnagt object and a protect object is obtained by calculatin4 in each bit a logical prod=t (and) between the "Scope[]" obtained by any of abovetioned wthods and the "targets[]" obtained tr above-sentioned method.

A further embodiment is an access control method by using MOI as an access unit ccnApri-ew;a step for calculating in each bit a logical Product (legical and) bet^ri a denial of each "targets[]" in an item - 1 4 denial mle obtained by above-ffmruioned me-thod and the "scope[lit -17 abovetioned mthods, and obtained by any o. a step for allowing only an MC1 of which scopefl]=1 based on said calculat.10n.

A further emb,->llnenL-is an access control method by using bCI as an awew unit cmprises;a step for calculating in each bit a logical product (logicall and) betw%n eachlltarr-ts[]" in ar item ion rule obtained by above-mentioned metlmd and the "[]" obtained by wri of above- mntloned meth", and a step for allowing only an MI of which swpe[il=l based on said calculation.

1hese acce-ss, control ara Ave- to a dynamic c of the naming tree based or, the marwgement operation such as M-CREATE and M-M. Namely, based on the inana operation such as M-MTE and M-M, a new W1 is generated or added to the rAming tree, or, an old MOI is deleted from the r.-cAng tree. Th=for, it is necessary to renewal the corresponding table. In emb.-d-i;-,ient-s of the present invention, it is ncssihl tD easily revise a part to be changed, than it is not necessary to change all of the table.

DESCRUTION W THE DRAVINGS Fig. 1 shows ar abstract of a network maria based on OSI m,wnt. Figs. 2 (A) and 2 (B) show les of MOC and M01. Fig. 3 shc-wz- a naming tree. Fig. 4(A) Shows scope. Fig. 4(B) shows scope. Fis. 4(C) shar. wope. Fig. 4(D) shows scope.

1 5 - 1% denial and permission bassed Fig. 5 shows a prv% of decision o.

on M-T rwmceMatior. X. 711.

Fig. 6 shows a -nam.ng tree.

Fig. 7 shows a prior art.

Fig. 8 shows a prior art.

Fig. 9 is a flow chart showing a whole of access control based.on an embodiment of the present invention.

Fig. 10 iz a tlow chart six>wing the- pre-procp-w. Fig. 11 shows a step for conversion of the identific;at:ol.i n&n. Fig. 12 shows a step of emzpration. Fig. 13 shows a naming tree for enumeraticn.

F1S. 14 is a flow chart showirj access denW and access pe=assion of access control based on an embodlment of the present invention.

Fig. 15 is a flow chart for renewal of the cor.-esirg table in the case of adding W--. Fig. 16 Is an example for renewal of the ccrrespondirg table in tt he case of deleting MCI.

Fig. 17 is a flow chart for rerewal of the oorresing table in the case of deleting MCI.

Fig. 18 is an le for renewal of &,,-z corresponding table in the case oil deleting MOL Fig. '9 shows a naming tree.

DETAM DESCRIPM OF PREFERRED EMMENTS An 1w-nt of the present invention will be explained referring to the drawir4p.

As shown in Fig. 9, in a step SO, a pre-process is carried cut to the naming tree which is an object of access control for achleving a rapid awess denial and pemission. In the pre-processingp at every - 1 0 - scope all of which is designated by the managment operation, aU MOI included within the scope. One time of the pm-processing is sufficient.

After pre-pr=essing, in a step S1, a management operation is ued. 7nen, in a step S2, access denial and access permission are dwided by using a wrrespwiding table which was made in a st-ap for table making in the pre-processing.

In a step 53, it iis J -wiether a generation or deletion of M01. It MOI iz ch, a renewal of the cx.--.d4 M. table is carried cut befom next decisicr. of accew derial or accezs permission of the management o.icn.

(Abstract of pre-processing) AS shown in Fig. 10, in the pre-proL-ig, an identification name of WI is converted in a step Si. After tb2 step 51, at every scope all of winich is designated by the management operation, all MOI included within tha scope in a step 52. Then, in a step S3: the corresponding table which corrwpords to a relation between scope and a set of Wil. included within the scope.

(Det-ailed. d=ription I of pre-processing identification. name) The identfication rAm of MOI is encoded aocording to 30 (Bwic, Encoding Rules) of ASN. I CAbstx-aat Syntax Notation. I) etc.. See [ITU-T. -Rac- X- 690, ASN.1 encoding rules: Specification of BER, Canonical R160ding rules (CM), and Distinguished encoding rules (DER), 19941.

TIM identification name is converted, as shown Fig.11, by allottLng an index to the enccded identification namp_ of HOI.

Ln Fig. I 1 9 " r" denotes the identification name comprising "I " and : conversion step of 1 7 - 11011 of input IM01, '1 1 r 1 11 denotes a bit length of the identification name llr". 1'n'I dei&,ps a nu of M01 in the naming tree, "Nn denotes a nud),-nr of bits of Cie index allotted to ttpidentification -=a llr".

11 [xl " denotes an integer rounded up ftcm a value x. IIXM!1 denotes some exclusive OR as shown in an equation 3.

equatior 3) X.'YE x XOR y =0 (when x=y) x XOR y = 1 (wher xpi. y) In the steps shown in Fig.11, - MOI having the ide=ification (1) A conversion Is started by an lnput ol name r. 2) In a step S1, a value N is calculated by KI0g2n] from the numbe-r n of MOI in tir- naming tree. Nariuelyg it is possible to irdicate a-11 of MDI by an index Which is N bits sequence. (3) In a step S2, the identification r r is divided to m blocks Bi (1:S i:G m), wherein a nudw of each block is N bits. A value "0" is applied to an m-th block B, if an insufficiexy of a bit occurs in Cie m-th block B,, b,, (1;Sj =514) cf each (4) In a step S3, an e=lusive OR of a j-th bit block B is calculated as C, = b.,, MR b2 XOR b3 XOR b,, (5) The id-entifiration n&w r is converted to an N bits sequence CIC2C3 . - C, by using C, and the N bits sequenceCI C2C3 ' Cl,; iS cutputted as an inddex. Namely, the index is rade, by putting said calculated value C, from Ci to C?4 in order.

(6) The index allots 0-n-1 in decimal to n MOI on the nam:Lng tree.

There:,s not sa index among M:Z because of using M?. While the length of the identification name r is not constant among WI on 4,:n - 1 8 - pang tree, it is possible to use an index having a zonstant length becwj-.r.r-of the coriversion of CiC2C.3... C,,. Further, it is Powible to achieve a hi#, speed access the length of the -"ndex C1C2C3 Cr4 shorter thai tke lenrl-, of the idwitification naim r.

An ele of the- c=".-rsion of the identification nam, wherein input identifircation name r is 10001000 00001110 10 1 '1 GOW1 00010000 11000100 OCO',, 1000 and a maber n s It 00. (1) In the step 51, N--, 'logz]001=E6.6438 - -. 1=7. (2) In the step S2,; r 1 =48, m=7 from '48, 1'7)+], th-an the identification name r -Js divided to 71 blocks Bi (1 9 i 97), wherein a iiud≥-" of each block is 7 bits. A value 1100 is applied to the 7-th bit of finai block B7 because N x n- 1 r i =49-48=1. Nwiely, Bl=1000100, F52"0011, B321,010110t B4=0010MI: B5=00001103 B62WM, B7--0110000 - b, 1 of each bic-...k B, (1:g i:s:N), the (3) For. let in the 1 st bit, 1 st bit C 1 = 1 YOR 0 XOR 1 MOR 0 XOR 0 XX 0 XOR = 0 because of b 1 1 bz..--0t b3v=l, b41=0, bsl=O, bil--.0, (4) In the saw way, C2=1, C3=0y C4=09 C5=1, Q=", Gr=0.

5) Then the identification namp- r is corrierted to "010011 T based of C, e bit sequence C1C2C3C4C5C6kr'el---01001 10.

(Detailed description 2 of pre-pro"sing: enumeration ')

In the enumeration CP-p, as shewn in Fig. 12, MOI ine-luded within scope is obtained at every scope of all designated by the mwnew.nt oPeraton. 7herefor, ass defined by equations 4-7, a tratrix A ha,,,iM a size ef n x n and a mtrix C having, a size of n x n.

11E MatrLx A is a c=nection matrix which denotes the naming tree. In a step 12 sho..m in Fig. 12, wiile the EhmT6 (i- 1) thLavell =pp- be== to 1 9 - a BaseTcOdip-,,el scope, the BaseTbOthLevel scops is treated as a BaseObJect- scope. (equadtion 4) a when MOI, with index i- is a parent of MOI, with. index j on the rming tree T, fat, )=G, whion MM, with index i is not a pamnt of MOI, with index J on the rming tree T, wh.arGin (a,, ') is an clawnt on ith line and J-th row cl^ the matrix A. (equation 5) M=E (unit matrLx) e equat ic 6) (equa--icn 7) C =Al+Al+Al+ (i.a 1) a +A' In:ig. 12, (1) in a step S1 p Ax and C.x (1 g x;D) ane. ca-lr-.;ulated tmti2. A 1 - 1 =0, wherein D is depth of thip- naming tree- T.

(2) In step S2 i and Ai are 1 j zed as J =1 and A, =AA; - 1 1 =A.

(3) In a step 53, when MOI haArL-4 ir.dex i is ind Lcated as MOI is 11---..yitialized ass- j=0.

(4) In a step 54. it is juiged "tlie,- W-, satisfies a =dition indicated in next step S5. IS not w',,&.Sfied, the step S5 is done. If satisfied, a S8 is dona.

I r, k 1.0 5) Ir th-e step 55, when 'a 1 j J indicates an element in j-th line c..

A, or an C,t of whiGh line iss YOI, of a cen-tain matrix A;, it is judged Whether (a i x) is 0 abcut all k. If not satisfied, the step S6 is dona. If satisfied, a step S12 is done.

(0) In the- step S6, it is judged that itht-p-velOnly scope of which B01 is - 2 0 - 14DI, includes MOIk 1 in (a 1 j k)=]. Then a step S7 is done.

(7) In the strap S7., when (C 1.) indicates an eleapent. in i-th line of C, or an elaTp-nt of which Une is M01, of a certain matrix- C 1, it is judged that BaseToithlevel scope of which BOI is WII, includes M01, wherein (c i, x) = 1. The-n a step SS is d"-. (8) In the step S1 2, WholeSubtr% soops of which BOI is MOI j is treated as BaseTo (i-1) thLevel scope. Then a step S8 is done. '9) In the ateD S8 9 i is increased by 1. TI= a -step 59 is dme.

(10) In the step 59, it in J Judged wheC.e-. j is smaller tlyin n. If 4,zuef the. step S4 in done. 'J' false, a step S1 0 iz d.me.

(11) In the step 510, 1 is increased by 1, namly the matrix A 1 is dianged into a matrix A and the matrix C is cha into a matrix c (12) In an stp-p S117 it is judM whe-ther i is sn.,aller than D+1. If true, the step 53 is done. If false, tle en,^ration is finished.

ble of enume-ration) An le of the entrv--ration step is enla-L-i--d on thetree M I shown in Fig.13. The conrLaction matr-,x A of the tree T is shown in the equation 8. 7he matrix is started fr= 0-th line and 0-th row.

- 2 1 - (equat ion 8) 1 0110= 0000M 00011100 0000001 l 00000000 0000C000 0000C1000 0000C000 (1, in thp- st-cp 51 shown in Fige. 1, 21 A' t A' J, A4 C2 and C3 arys- otr,aL-ied as shown 1n squaticris 9 -13 based on the eqi.ati.O.'ls 6 and 7.

(equation 9) 00011100 00000000 00000011 =0000 00000000 00000000 M0000 00000000 - 2 2 - (equation 10) (equat.'i.on 11) equaticn 11) A3= A 4- C;2 = 00000000 00000000 00000000 00000000, COM0000 OW00000 o',00" 00000000 000000x 00000000 00000000 00000000 00000000 OX00000 01111100 OXWOO0 Oxilill OX0001 1 OX00C00 00000000 00000000 00M00 - 2 3 - (equation 12) Cl= 00000000 OX0001 1 00CO0OX 00000000 0OX0000 0000= (2) 1 is set as i=l in the step S2 and.5 is s,-r-t as j=0 in the step S-' (3) In the step S4, MOI; does nct satisfy the wnd-it-iw. indicated in C,e step SS. Then the step SS is dore.

(4) In Ce step S5, (a is not 0 abour, all k. T=-n, the step 56 is done.; (5) In tip- step S6, ith(st)LevelCnly scope of which BOII is MOI.P W c, ')=i and (a' ACL) includes WIL, and MOL2, bwause c. (6) In the- step S7, BaseTcithLevel '=Baso-Tolrtlavel" scope of.tich BOI is MOI, incltdeeM01c,M0I, and M0I.,, be=e of 'c.' ool,=1, (C1 oi)=! W4 (V 92)=1.

7) In the p SS., and j=l<r=8. 7he Cep S4 is done because the judgement in the step S9 is falm.

(8) In thia, step 54.. WII, does not satisfy the condition indicated in thes step S5. Thfm the steep S5 is dore.

(9) in the step 35j, (a',,) Is 0 about all k. 11= the step S12 Is dcr.2-becwLse the judit:Ln the tep 39 = ra15e. (10) 71'n the step S! 2, VroleSubtree smpe of which BOI is MW, (=MO1o) is tz-r--ated as Bar>eTo (11)-,,hLevel (= BaseToOtt-Tevel= BaseMIect) scope. (111) By repeat:Lng sawprx)cew, at every scope, a set of MOI included,' to scope, - Z 4 - (stap for making a corresponding table) A table indicating a ccrres-xn,.J:ence betww. scope and MOI incl:uded within soope is mds by using t2he abo-va--mnt-,Or.d resUts. 7he table shows a pazt, of the table oorres-ponding to tl-p- naming tree T shown in Fig.113. Namely, all of 5cope is indicated a---- a =mbination of a type of scope and WI. Fegarding tw saah sc4ope P-11 of which can be desip, atad In a management cperation., an arrarrgeme= "scope[]', of whLch S.; .,.ze is n and which represents an.1,ril ncLted in the scope:Ls obtalmd ass scope[i]=1 if an MOI, is included in the scope, scope[i]=O if an MOI, is not, incl-uded in the scope.

Then, te mr-responding table is made by obtaining "scope[]" - 2 5 - 0 (table 4)

1 WI type of scope 3 4 IS 6 7 Baradtjact 1 0 0 0 0 0 3 01 SweTO l stLecl 1 1 0 0 0 0 3 BaseTc2ndLl evel WholeSubtree 1 stLevaicniy 2StLevelc)n.lly 3rdLevelOnlY BaseObject BascObject BaseTcistLevel WholeSubtrwlstLevelOnly 2StL--velall"5, 0 0 0 0 0 0 0 1 2 2 2 2 2 1 0 i 1 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 1 0 0 0 1 1 0 0 1 1 0 0 0 1 0 0 0 0 1 1 1 i 1 0 0 J 0 1 1 0 0 0 0 1 1 0 0 0 0 0 0 0 1 1 1 1 1 0 0 1 i i 1 i 0 0!1 3 o 0 0 0 0 1 RCerring te an le shewn in the table 4 and Fig.7 and Fig.8. a process to decide an access deria-, and penmssion will be described.

1 kemample of decision for an access denial) in Fig.7, objects of imnagement operation ars 679 L,M and N cut of all MOT indicated by A -N on the naming tme T. 7herefor, scope(-J]=1 denotes that MOI, is included within sc--Pe and soopee[i)-0 denotes that MOT, is not included within scope. Size of scope[] is n (A-N). Dien scope[I becomes as below. Fufther, in the table 3, access to the targets I ( MOI,, YD11,, NOI,,, WI, ') by the initiatcr X is denied tecause, of the item denial nLe 1. Merefor, targets(il,=i denotes that - 2 8 - MOI j is pre-tected and targets[i2=O denotes that MOI i is not protected. Size of targets[l is n. Then zargetLs[] bL-=mes as below.

LT=1 11-1 W scope 000000000 10 111 target,st-1r-- 00100110010OW W'--in, scopel]m00000000010"11(r.m14) is quickly and eazily obtained by previously making the corrW onding table of the tree s,own in Fig. 7A:L-4 the a"c-ffentioned step., ber-ause, t.1r- object of tbz zana. t operatiai sl-Dwn in E.S.7 can be designated by WholeSUYL-,ee scope of whIch 1301 Iss. IWIT By the stp-p S3 &,own in RILS. 14, a denial of =-h bit elamt of 11 7 0 is a bit sequence of '111 011001101111 Tin each bit, a targets [, logical prcd,.ict (legical and) between tlie 'Iscope[j" (= 0000=10111) and a denial. (=110110C1101111) of the "targm-ts[j"' (=0010011G010000) is Tlw. scocp-"1 becomes as follows.

L; ABMU.2M4N scope[]= 00000=00111 Namely, access to only 1401, is denied aund accew to WIL ' HXM and M0Ii, are not denied.

(example of declsion for an ac= pennission) In Fig.8, objects of rdnagewnt operation are D, EJ and G out of all M011 indicated by A -N on the naming trae- 77. There-for, scope[-.L. 1=1 denotes that W1; is included within scope and seopeCi]=0 demtes that WIL, LS not included within scope. Size ef scope[] is n (A-N). Then 5wpe[ 1 becoms as below. Furter, in the table 3, access to the targets 2 ( MOli>, M01j;, MOI,,, W3I.,) by the initiator Y is pe=itted because of the itar. 2. Therefor, tAmtsCil=1 -2 1,7 denotess that MOI, is opemd and targets [ J. 1 =0 dent-es, tiat MOI j is not opened. Sim of targe±s[l is n. Than targets[] bemmes as below. ABWEFCKLKW scopa[j = 00011,110000C00 twg,ata[.,,= noolol locc)oooo th-cre-ir., scope ( 1 =000 1111 OOOXOG (n=l 4) is qldckly &nd easily obt, ajx)ed by previously making the corTesp(ri.ding table of the trae shonin Fig. 8 in the abow-wntioned step., because the object of the managemnt, operatlen shmm in Fig.8 can be desIgnated by 2ndLeleICnl',, of which BOI is MD1 A By the step S4 showm in Fig.14, in each bit, a logical product klogical andt) betwe-en nscopp-[]" (= 000111110000000) and iltargeTs"1" L J (=00010110000000) is calculated.

Then -,:P,-cpe[l becoms as follows. A3=WM,W scope[]= 00010110000000 namely, access to M01t,, MOI and MOIG are permitted.

(renel.,al of cc.-resporxiing table), A renewa.1 off the corresponding table will be described.

As nentionedabove, the corfipr-ation of the rk-aLng tree tray bC 1 is generated or added and when ar. old MOI is changed when a new MOAdeletted. Thenfor it 4IS necessary to renew the table.

(generation of MOI) Fig.15- shows a step for renewing the table when a new M01m, is added to the namng tree.

In a step S1 in Fig. 15, al 1 MOI on a route frcm a W1m, upper thar, M0Im, to a rroot M01m. am n as MC1pm,, MOITI2 j... W1al. in order - 2 8 - from Mok 1. (2) By a step 32 in Ff g. 15, ir, the cormsponding table, M0Im. is added to a BaseTc.jtic,r--1 scope:5j), a '.,?lhcleS,,abwee scope and an thLavp-1Cnly scope each of;.ich BOI (Base Objwt Instance) is an MOT1rli 0; 9i;9p)(ele of een-exation of MD1) An example of renewal, when M01s (=m, ) is addeed as a chill d of to the naming,=m T shown Fig. 16, will be deacribed.

(1) stp-P 31; A parent cú MD1s iz a 2nd line in a 5th (ami) row of whicIn value Is 11111 In the matriy A. In the sam- way, a parent of ^ which value is 111 " in the MC:z is a Oth (=m3)' Line in a 2nd (--m2) row = matrix A. BeCaUSE M010 iS rWt, M0IMI= 140IS, 1r.1=2 M012 aM M071W3:-'U.0 am root.

(2) Step S2: MC1a i,=n, is added to a 3,-zseTojttU,,rel (1 -5j), a W-holeSubtrt-- scope and a lstLerelOnly scope each of which BOI (Base Object Instance) is MOIrni. M0I8 'x=rt a) is added tc a BaseTojthLevel swps- (2:9j), a WholeSubtree scope and a 2rdLeve!Cny scope each of which BOI (Base Object Instance) is hCla (-r,,) is added to a BaseTojthl.--,p-.1 scope (3:!;i), a WholeSUbtree scope and a 3rdLevelonly scope each of wtich BT1. (Base Object 2ce) iS IM01M3# HaMlYP cccpe[81=1 is added to above-mentioned swpe, scope[81=0 is added to c--1-.er scope.

(deletlon of M01) Fig-17 shows a step for delating the table when an old M0Im 4 is deleted from the naming tree.

(11) Ln a step S1 in Fig.17, all PO! en a mute from a MDImi upper than MOTn, to a M3Da, are named as W-1m,, M0Im2, M01m, in order (2) BY a step 12 ir Fig. 17. 1Ln the corrnsponding table, M31m,, is deleted from a BaseToithLevp-l scope (i;:rj), a liholelzljbL".m-- scope and scope. each of wtiJch BC.I (Base Object Instance is an (examplia of deletion of M01) An example o:r deletion, when M01.: which is a child of mOL, is deleted from t, =rg tree T shum Rig. 18, will ba described.

A) step S!; A parent of M01P (= mg) iz a 3rd =:ml) line in a 7th k (=m,) row of wh-l eh valin Is 111 11 in zho- Wn-1 x A. In the sam way, a J parent of M0I3 (=m,) is a 2nd (=-"n12) 1.1ne in a 3rd (--m,) row of which value is 'T' in the matrx A. Becavse M01o is root, W1wi= M01s, MOT2a= W:2 ad.40!M3=1C'10 are, r00t.

(2) Step 32: M017 (=mt) is deleted frorr. Baseloj4.-hLevel scope (1 5j), dhrj-'LeSubtree scope und lstLevelOnly scope each of which BOI (Base Object Instance) is M0Imi. M0I7(=n is de'leted from BaseTajthLevel sr,ope (2!-.j), Who.'jeSabtree scope and 2ndLerel&ji,.y scope eazh o.

which B01 (Base Object 1=tance',' is Tjlmz. M017 fk!2CI d) is deleted frce BaseTojthLevel scope %.3:5j), Ikiele,R.,jbtice supe and 3rtLeqelOnly scope each- of which BOI (Bass Object Instance) is- M01m3. N&ElY, WOPe:L"11=1 is deleted. fm-in above-itentioned scope, scope[71=0 is deleted from scope.

Above-mentimed process is g,--mmlly carried out by a ccoputez.

Namelly, tl-.e computer carries cut the by reading data whic-11 prog data of the prw,-w am data to the coWiter and stored in a recording ffedium. Tm the Computar is ar a.npamtus having a f=otion which c&-Ties ru-u aboys-mritioned process.

(effect of the!.,3venticn) Preferred diments of the present invention have the following effects (1) and (2) than the prior art.

(1) Calculation amount is smaller than '-lw prior art of accew control using the aanat operation as access unit. (2) Fine ance,-z control. using the ed instance object tz access unit is pj.5sible.

Further, by conszMing tc ths index from Ce idenitification naire of WI It Is possItle W unify 2e bit length cf UP- Identification name and quick. access to M01 is possible.. By the enumeration pitrem. It Ls possible to simply and clearly indicate NG which is included within which can be designated by tbe, mwp-gewp-nt operation and it is possible to simply and clearly indicate the object to be protected or opened. By renewing the corresponding table, it is ible. to simply and easily adapt to a change of MD1 which ocicurs based an the addition or deletior o:r M0,7A. cn the naming tre-e. Furtl-.er, by calculating a logical product in each bit of "scope[]" and I'targets(]"y it is pmsible. to simply and easily obtain the intersection between scope and the proterted object or the opaned object.

- a 1 -

Claims (16)

1. A method for converting a name of MOI (Managed Object instance) in a name tree to an index, wherein "n" denotes a number of MOI in the name tree, "Exl" denotes an integer rounded up from a value x and "XOR" denotes an exclusive OR, said method comprising: a step for dividing a bit sequence to m blocks Bi (1 5i,m), wherein a number of each block is N which is given as a E1092n], a step for calculating an exclusive OR of a j-th bit b,, (1 5j N) of each block B, as C, = bi, XOR bz, XOR b31... XOR b,,,, a step for making an N bits sequence C1C2C3... C.., , as an index of an identification name by putting said calculated value C, from C, to CN 3 wherein a value 11011 is applied to an m-th block B. if an insufficiency of a bit occurs in the m-th block B,,

2. A method for enumeration of some scope wherein, regarding to each scope all of which can be designated in a management operation, an arrangement "scope[]" of which size is n and which represents an MOI included in the scope is obtained as, scope[i]=] if an MOI, is included in the scope, scopp-[il=0 if an MOI, is not included in the scope.

3. A method for enumeration of some scope wherein, when new M0Im. is added to a name tree, the M0Im, is added to a BaseTojthLevel scope (i 5j) of which BOI (Base Object Instance) is an MOI, 5p), a WholeSubtree scope and an ithLevelOnly scope, wherein MOI on a route from a M0Imi upper than M0Im,, to a root M0Im,, in the M0Im, to be added is put in order from M0Imi as M0Imi, M0Imz,.. - MOIMP.

4. A method for enumeration of some scope wherein, when an M0Im. is deleted from a name tree, the M0Im., is deleted LrOm a BaseTojthLevel - 3 2 - scope (i:

5 j) of which BOI (Base Object Irotance) is an MOI, (1 =.g i g p), a.lmleSubtree =pe and an ithLP-vel&.!y sccp,-;b, wherein MOI or, a route from a MOIrrl upper than Olm,, to a ract W=-, Ln the M01M d to be deleted is put in order f-m M01m, as MD1mi, MDIm,2, 5. A mtlu> for e-rimaral--ion c-&^ a taraat w+iemin, ing to h targets MOI w1-,ich is a protect target to be prottected frcm an authority or an open target to be opened to an authority, an arran 11 target,uC]tf ot whioh slize ic n and which represer:tz the t MOI iz obtained as, rate tar Ei 1 't aT! tú1 L is p. c or oparied, tar.oets[il=0 if an M01, is not protected and not opened.

6. A metbod for makIng a table wher.---1n, regarding to eazh scope all of which car, be designated in a marat operation, a table ccrresponding to an MOI included in the scepe- is mde.

7. A method for datect:IT an in+,zrzwticn, where:Ln, an intersecticn - is obtained by between an inark-qr=,t object and an protect object. calculating in each b,t a log.4&cal prod= (logical and) between the scepe [] 11 obtained in claim 2 or 3 or 4 or 6 and a denial of the " targets [] " obtained in claim 5 whil& is shown in below equation 1 (equation 1) denial of 'Itargetsr]"="targets[Ity

8. A method for d&-wtir.g an interwetien wherein, an intersection bBU"n a mar2 c.bject and a protecr- object is obtained Iby calculating in each bit a logical product. (andi between the I'scopeLP1 obtained in claim 2 or 3 or 4 and the ".targers1111 obtained in claim 5.

g. An access conttrol method by using M011 as an acc.--w unit rises; a step for calculating in ca,-h bit a logical product (logical and) bet a denial of each "targets[]" in an item denial rjje ceained ir. claim 5, which is shown in below equation 2, and the 'Iscopefill obtained - 3 3 in claim 2 or 3 or 4 or 6, (emia,icn 2 ciw,ial of 'Itargats,',]"--"tarr-ts[" is based ancl,,a stjkc for a.11.owing orly an CI of which on said calculat.10n.

10. An access oontrol Mthod bY Usir13 W1 ar. an acOG-es unit c=rises; a step fcr nicu'Lating in each bit a logical pro.,,,w-- (logical and) betweer each.ltarg.-t,"I" in men Aw perud"ion rule obtained in claim 5 ari the "scoperl" obtar in claim 2 cr 3 or 4 or 69 and a step for allowirig only an MOI of which. wope[

i] is ' b on said calculation. 11. A method for converting a name of MOI (Managed Object Instance) substantially as hereinbefore described with reference to the accompanying drawings.

12. A method for enumeration of scme scope substantially as hereinbefore described with reference to the accaTpanying drawings.

13. A method for enumeration of a target substantially as hereinbefore described with reference to the accompanying drawings.

14. A method for making a table substantially as hereinbefore described with reference to the accompanying drawings.

15. A method for detecting an intersection substantially as hereinbefore described with reference to the accaTpanying drawings.

16. An access control method substantially as hereinbefore described with reference to the accarpanying drawings.

- 8 4 -